could someone point me in the direction of getting ntp to work with selinux on fedora C2? does anyone have experience with this? is it supposed to just work with the default file_contexts? any help is appreciated...thanks
j ..
On Thu, 17 Jun 2004 04:51, "Jason Hooper" jhooper@tlcontact.com wrote:
could someone point me in the direction of getting ntp to work with selinux on fedora C2? does anyone have experience with this? is it supposed to just work with the default file_contexts? any help is appreciated...thanks
For the typical operation (synchronising from a master server somewhere on the net) it is supposed to just work, it does for me. I have a rawhide machine running the strict SE Linux policy synchronising with an NTP server right now, and I don't believe that FC2 differs from the current rawhide in any significant way related to NTP.
Does ntpd support directly interfacing with GPS hardware or other accurate time sources? If so some extra policy will be needed to support this.
If you see any AVC messages related to ntpd then please post them to this list.
Yeah it seems like it should just work...yet it doesn't...wierd. I have two machines trying to sync ( well, three, but the third one works and is not selinux )
I get this avc on both :
Machine1 :
Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { write } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t tclass=chr_file
Machine2 :
Jun 17 06:11:33 doh2 kernel: audit(1087470693.719:0): avc: denied { write } for pid=2335 exe=/usr/sbin/ntpdate path=/ dev=hda2 ino=5060 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t tclass=chr_file
Machine2 has an ntpd.te file while machine1 does not. Does that matter in this case? I can send it if its needed.
Thanks again for the help
..
-----Original Message----- From: Russell Coker [mailto:russell@coker.com.au] Sent: Wednesday, June 16, 2004 10:01 PM To: fedora-selinux-list@redhat.com Cc: Jason Hooper Subject: Re: ntp
On Thu, 17 Jun 2004 04:51, "Jason Hooper" jhooper@tlcontact.com wrote:
could someone point me in the direction of getting ntp to work with
selinux
on fedora C2? does anyone have experience with this? is it supposed
to
just work with the default file_contexts? any help is appreciated...thanks
For the typical operation (synchronising from a master server somewhere on the net) it is supposed to just work, it does for me. I have a rawhide machine running the strict SE Linux policy synchronising with an NTP server right now, and I don't believe that FC2 differs from the current rawhide in any significant way related to NTP.
Does ntpd support directly interfacing with GPS hardware or other accurate time sources? If so some extra policy will be needed to support this.
If you see any AVC messages related to ntpd then please post them to this list.
On Thu, 2004-06-17 at 10:03, Jason Hooper wrote:
Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { write } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t tclass=chr_file
Mismatch between your kernel and policy. RedHat released a kernel update for FC2 without updating the policy accordingly. If you update to selinux-policy-strict in the devel tree, you should be ok. But note that this also requires updating SysVinit, libselinux, and possibly other components as the policy layout has changed completely in the devel tree.
On Fri, 18 Jun 2004 00:03, "Jason Hooper" jhooper@tlcontact.com wrote:
Yeah it seems like it should just work...yet it doesn't...wierd. I have two machines trying to sync ( well, three, but the third one works and is not selinux )
I get this avc on both :
Machine1 :
Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { write } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t tclass=chr_file
Machine2 has an ntpd.te file while machine1 does not. Does that matter in this case? I can send it if its needed.
To be pedantic, you would not have a domain of "ntpd_t" unless there was ntpd.te installed. Machine1 may have installed a binary policy, or the source policy may have been changed, but ntpd.te was certainly used.
selinux@lists.fedoraproject.org